Nick Lawler, general manager of the Littleton Electric Light and Water Departments (LELWD), was at home one Friday when he got a call from the FBI alerting him that the public power utility's network had been compromised. The digital intruders turned out to be Volt Typhoon.
Lawler didn't believe it at first. LELWD provides electricity and water to the towns of Littleton and Boxborough, Massachusetts, which have a combined population of about 15,000 people.
Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?
"We don't have any access to large critical infrastructure. We don't own transmission. We're a distribution company. Yes, we're part of the overall grid, but the impact of taking out Littleton is small. You would never think that would be a target of any type of attack," Lawler told The Register.
The FBI agent told him that LELWD was one of 200 utilities on a list of organizations that had been breached. He asked Lawler to give his personal email address and said he would send over a link to click on and further diagnose the severity of the issue.
"It sounded like one of those Microsoft scams," Lawler said. He told the agent: "Go f-yourself, I'm not going to click on a link, you must think I'm an idiot. What is your name again?"
Then he hung up and called the FBI Boston office directly. The same agent answered his call, and this is when Lawler started to think it might be serious. But he still wasn't going to give out his personal information, so he told the FBI to show up at the utility the next Monday at 10 am.
"It was still surreal to me," he said. "You never think you are the victim of that type of attack."
Over the weekend, between family life and kids' sports games, Lawler mostly forgot about the incident – until Homeland Security officials showed up at the office Monday morning, and handed Lawler an unclassified document about Volt Typhoon.
This was in November 2023, the start of Thanksgiving week, and the now-infamous Chinese government-backed hacking crew wasn't yet on most people's radars except for those paying very close attention to Five Eyes' intelligence agencies' warnings.
Volt Typhoon wouldn't become a dinner-table discussion until January 2024, after the spies had infected hundreds of outdated routers to build a botnet and break into US critical infrastructure facilities. The Beijing-backed crew, we would later learn, was prepositioning itself and readying destructive cyberattacks against those targets.
Happy Thanksgiving, you've been hacked
After visiting Lawler at work, and telling him the federal government was here to help at no cost to the public utility, DHS wished him a happy Thanksgiving and told him not to worry.
"You just gave me this pamphlet about how the Chinese government is planning these attacks, and living off the land," Lawler remembers thinking. "How can I enjoy Thanksgiving?"
LELWD had been working with operational technology (OT) cybersecurity company Dragos as part of an American Public Power Association government-funded program to assist smaller public utilities, and Dragos had installed sensors on the OT network in August 2023. Through these sensors and the firm's OT threat hunting service, Dragos spotted some usual network traffic and communications with China that shouldn't be occurring.
The Chinese snoops gained initial access via a buggy FortiGate 300D firewall, according to Lawler. Fortinet patched this flaw in December 2022, but as of August 2023 LELWD's managed services provider still hadn't updated the firmware. The water and electric utility has since fired that MSP.
By December, the federal government had also installed its own sensors on LEWLD's networks and requested that the utility leave the security hold open so they could monitor the spies' activity.
"That made me more uneasy than anything up until that point, because if something else was to happen, then we had willingly, knowingly left the vulnerability open," Lawler said. "But we believed in the greater good. We knew other utilities had been impacted. Our president flies an American flag at his house and has since 9-11. We wanted to support the government trying to get the bad guys."
A week before Christmas, the feds and the Chinese spies were off LEWLD's networks, and the firewall vulnerability was patched. The utility completely rebuilt its networks to ensure they didn't just copy over a Volt Typhoon backdoor, and last August the government agencies performed a three-week penetration test to ensure the utilities' network defenses were working properly (they were).
Lawler still doesn't have a good answer as to why Volt Typhoon targeted his power utility other than for reconnaissance and espionage purposes.
"I wouldn't say anything related to our substation or our engineering was compromised," he said. "They did access our servers. They knew where those vulnerable firewalls were, and they tried to get behind them. I still don't know why Littleton other than we had a hole and they found it." ®